From 1be2a8237fc2e60328162e0b3d520e95925c87e6 Mon Sep 17 00:00:00 2001
From: Sylvain SZYDLOWSKI <154604793+freedomsha@users.noreply.github.com>
Date: Fri, 19 Sep 2025 13:52:31 +0200
Subject: [PATCH] Potential fix for code scanning alert no. 5: Clear-text
 storage of sensitive information

The best way to fix the problem is to avoid storing the password in .pypirc in clear text entirely. Modern versions of setuptools and twine allow for authentication using environment variables, keyrings, or token-based mechanisms (API tokens). Therefore:

    General approach: Do not write the password into .pypirc. Instead, use environment variables or a keyring to pass credentials securely, if possible.
    Detailed fix:
        Remove the line that writes the password to .pypirc: pypirc.write('password=%s\n' % password).
        Preferably, update code to use twine for uploads, which never requires writing passwords to disk and supports secure authentication methods. If this is not possible, instruct users to use API tokens or set credentials via environment variables (TWINE_USERNAME, TWINE_PASSWORD).
        If file-based credentials must be used, encrypt the file's contents using a secure cryptography library (e.g., cryptography.fernet) before writing.
        At a minimum for legacy compatibility: replace the real password with a placeholder (and update documentation to guide secure authentication for PyPI).

File to change: taskcoach/release.py
Lines to change: Remove or replace the line writing the password to .pypirc (line 539).

Requirements:

    If removing password write, update the usage to provide credentials via secure means (document/comment the change).
    If encryption is chosen, add import for cryptography and method to encrypt/decrypt password before writing/using.
    Since we only see the relevant snippet, the minimum viable fix is to avoid writing the password line.

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 taskcoach/release.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/taskcoach/release.py b/taskcoach/release.py
index 04a89b78..3d6e7d15 100644
--- a/taskcoach/release.py
+++ b/taskcoach/release.py
@@ -536,7 +536,9 @@ def registering_with_PyPI(settings, options):
         pypirc.write('[pypi]\n')
         pypirc.write('repository=https://upload.pypi.org/legacy/\n')
         pypirc.write('username=%s\n' % username)
-        pypirc.write('password=%s\n' % password)
+        # For security reasons, the password is no longer written to .pypirc.
+        # Please use a secure authentication mechanism for PyPI uploads (e.g. environment variables, keyring, or API token).
+        # See: https://packaging.python.org/specifications/pypirc/#authentication or https://twine.readthedocs.io/en/latest/
     # pylint: disable=W0404
     from setup import setupOptions
     languages_pypi_does_not_know = ['Basque', 'Belarusian', 'Breton',